Since we use Active Directory and Google Apps, it seemed only logical to sync the two instead of maintaining two separate directories.

Team Members

Tagged MSPs

Categories

When creating or editing users, I often found myself making a change in Active Directory, and then making the same change in Google Apps. Or, I'd realize that users weren't arranged the same in both. Over time, I also found that while setting up new users, they would ask if the password for their computer and e-mail was the same. Once I learned about Google Apps Directory Sync and Google Apps Password Sync, I knew I needed to deploy them both.

I started with Directory Sync. Since AD is the source and never written to, I made sure users and groups were arranged as needed. Not much changed there apart from creating Google-specific groups for mailing lists, matched to existing Google groups. Then I spent some time arranging things on the Google side myself, to prevent any massive changes from happening on the first sync. Once that was finished, I installed the tool, ran lots of test syncs, and made sure it was copying only what I wanted. Finally, I did the first sync, which went off without any issues.

By using AD as the source, I was able to add a lot more information to each user, which also resulted in letting me enable contact sharing. With this enabled, users were able to access the global address list.

Password Sync was easier to setup simply because there's not much to it. It just needed to be provided credentials and pointed to an OU. A test user showed it was indeed updating the password within a minute or two. This has resulted in a much more seamless experience for the user; it feels more like one company account instead of the company AD account and a separate e-mail account. With a password expiration policy enabled at a later date, it's also ensured e-mail passwords will be changed, and will also be remembered, as I had several users that would setup Outlook or Thunderbird and then forget the Google password.